FAR/DFARS 800-171 Compliance Services


The problems and risks associated with a lack of compliance and absence of cybersecurity efforts of contractors, subcontractors, vendors, and suppliers that provide services to the Department of Defense (DoD) and civilian Federal agencies can negatively impact the security (i.e. confidentiality, integrity, and availability) of Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). The Federal government is now utilizing a risk-based approach to procurement and the awarding of contracts. For commercial organizations to remain competitive regarding solicitations, each company that processes, stores, or transmits CDI or CUI must be proactive to address new safeguarding requirements and demonstrate compliance. The key components of DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, require improved cyber and supply chain security, including flow-down compliance requirements to subcontractors, vendors, and suppliers of a prime contractor.

The deadline for the implementation of the DFARS requirements for the improved cybersecurity of contractor organizations was December 31, 2017. All contractors attested that they were compliant to continue providing services under current DoD contracts. Many contractor organizations may not fully comprehend the concept of CUI security or supply chain security. It has been over a year since the deadline to achieve compliance has passed and many contractors that self-attested compliance and were not required to participate in a post-award audit must now demonstrate compliance to remain in good standing and continue to provide services to the DoD. It was announced in January 2019 that the Defense Contract Management Agency (DCMA) was selected to evaluate the compliance of Tier 1 Level Suppliers (i.e. suppliers that receive subcontracts from a prime contractor) using National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, and verify compliance with flow-down requirements. Every contractor must establish:

  1. System Security Plan (SSP) and security documentation to meet requirements of NIST SP 800-171
  2. Plan of Action and Milestones (POA&M) to document/track deficiencies and corrective actions
  3. Plan to track the flow-down of CDI and CUI to vendors and suppliers
  4. Subcontract cyber security management program

The requirements for contractors and subcontractors of the DoD and Federal civilian agencies to secure CDI and CUI will become stricter to address emerging threats. NIST SP 800-171 will continue to be used during assessments to ensure a comprehensive and coordinated approach to determining the compliance of commercial organizations that handle governmental data. It is important to meet the baseline security requirements early to allow for adaptation as reporting systems/requirements change, assessment requirements change, and monitoring mechanisms are developed. If contractors are found to be non-compliant with security safeguarding requirements, then it may be considered a breach of contract that results in suspension, debarment, or a False Claims Act liability.


The problems and risks associated with a lack of compliance and absence of cybersecurity efforts of contractors, subcontractors, vendors, and suppliers that provide services to the Department of Defense (DoD) and civilian Federal agencies can negatively impact the security (i.e. confidentiality, integrity, and availability) of Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). The Federal government is now utilizing a risk-based approach to procurement and the awarding of contracts. For commercial organizations to remain competitive regarding solicitations, each company that processes, stores, or transmits CDI or CUI must be proactive to address new safeguarding requirements and demonstrate compliance. The key components of DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, require improved cyber and supply chain security, including flow-down compliance requirements to subcontractors, vendors, and suppliers of a prime contractor.

The deadline for the implementation of the DFARS requirements for the improved cybersecurity of contractor organizations was December 31, 2017. All contractors attested that they were compliant to continue providing services under current DoD contracts. Many contractor organizations may not fully comprehend the concept of CUI security or supply chain security. It has been over a year since the deadline to achieve compliance has passed and many contractors that self-attested compliance and were not required to participate in a post-award audit must now demonstrate compliance to remain in good standing and continue to provide services to the DoD. It was announced in January 2019 that the Defense Contract Management Agency (DCMA) was selected to evaluate the compliance of Tier 1 Level Suppliers (i.e. suppliers that receive subcontracts from a prime contractor) using National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, and verify compliance with flow-down requirements. Every contractor must establish:

  1. System Security Plan (SSP) and security documentation to meet requirements of NIST SP 800-171
  2. Plan of Action and Milestones (POA&M) to document/track deficiencies and corrective actions
  3. Plan to track the flow-down of CDI and CUI to vendors and suppliers
  4. Subcontract cyber security management program

The requirements for contractors and subcontractors of the DoD and Federal civilian agencies to secure CDI and CUI will become stricter to address emerging threats. NIST SP 800-171 will continue to be used during assessments to ensure a comprehensive and coordinated approach to determining the compliance of commercial organizations that handle governmental data. It is important to meet the baseline security requirements early to allow for adaptation as reporting systems/requirements change, assessment requirements change, and monitoring mechanisms are developed. If contractors are found to be noncompliant with security safeguarding requirements, then it may be considered a breach of contract that results in suspension, debarment, or a False Claims Act liability.


Upcoming CMMC Requirements

Most organizations in the Defense Industrial Base are already aware of the impending changes to the DFARS which will require bidders to attain the Cybersecurity Maturity Model Certification.  While the CMMC is still in development and being rolled out in phases over the next five years, companies currently or planning to do business with the DoD should absolutely be monitoring this closely and taking a proactive approach.  Organizations that comply with the current DFARS regulations will have a much easier time demonstrating their compliance with CMMC when it is fully implemented.  For more information, see our post here, which we will continue to update as COACT monitors the CMMC’s development and implementation.


The COACT Advantage

Many organizations that are or will be affected by these changes may underestimate the scope of the requirements and the resources needed to achieve and maintain compliance. COACT has provided consultation and security assessment and authorization services to many Federal agencies and commercial organizations to meet the requirements of multiple compliance frameworks. As an accredited FedRAMP Third Party Assessment Organization (3PAO), our Quality Management System and experience providing consulting services and performing assessments will be leveraged to help you meet these new requirements. If you would like additional information, please read our white paper or reach out to a COACT representative using the contact form below or by emailing info@coact.com.

Download COACT 800-171 whitepaper